Mobile SSL VPN + NPS w/ Azure Extension + Azure MFA

Hi Guys,

Just wondering if anyone has gotten this combination to work as of yet - My users currently use Mobile SSL VPN against NPS servers. We also have modern authentication enabled along with MFA on our Azure tenant.

I'd love to have MFA functionality when a user connects using the SSL client. From what I understand, all I really need to do is install the Azure extension on the NPS server, and everything else seems to be configured, but I just can't seem to get a successful connection. During authentication, the second factor is triggered on the users' devices, but after completing the sign in, the connection fails.

Any input would be greatly appreciated!



  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Flocons

    I'd suggest opening a support case. So long as the Firebox gets a RADIUS access-accept with the correct group (via FilterID or RADIUS attribute 11) than it should work.

    If you'd prefer to do it yourself, running wireshark with the filter "udp.port==1812" on the RADIUS server (or replace that port with the alternate port you're using" should allow you to see the access-accept. Is Attribute 11 defined? If not, you'll need to configure this on the server.

    My guess would be that the group is not coming across, which would make everything seem like it was working, but the user would not be able to access anything. In the firewall logs, you'd likely see red deny logs that say "unhandled MUVPN packet."

    -James Carson
    WatchGuard Customer Support

  • We have this working fine for the IKEv2 vpn but I cannot for the life of me get it working on the ssl-vpn - I default the Radius (NPS) server as the authentication server but it just doesn't work? Has anybody got the ssl-vpn working with Radius and Microsoft authenticator?

  • I have the SSLVPN working with RADIUS and AuthPoint, and I suspect that the Microsoft Authenticator should work. They key is that the SSLVPN needs to have the FilterID set as mentioned above.

    Gregg Hill

  • edited March 24

    We have this working on a number of clients. Only supported methods are SMS, or Authenticator Code. Push or phone call wont work.

    Azure NPS Extensions will take over your NPS, so you need an NPS server dedicated for Azure MFA. e.g if you have Wireless 802.1x you will find that the NPS extensions will interfere and prevent your wireless clients from connecting due to "an error with a dll" - meaning the Azure NPS extensions.

    RADIUS Client: Add your firewalls IP address
    RADIUS Secret: Common password between both.

    Connection Request Policy:

    • Conditions: Client IPv4 address of the Firewall
    • Settings: Radius Attribute -> Filter-ID = The Name of your SSL VPN Users group e.g VPN-Access, VPN-Contractors etc.

    Network Policies:

    • Conditions:

      • Client IPv4 address of the Firewall
      • User Groups: The Domain Based Security Groups - The name should match the names from your Watchguard.
    • Settings:

      • Access Permission: Grant Access
      • Authentication Method: Unencrypted (PAP,SPAP)

    Finally remember to review the setting under Change Log File Properties - "If logging fails, discard connection requests". By default this is enabled, and out of the box doesnt work properly. This can also cause logon issues that may not be obvious.

Sign In to comment.